<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head>


<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-Style-Type" content="text/css">
		<meta name="generator" content="MediaWiki 1.15.1">
		<meta name="keywords" content="SSH Tutorial for Linux,Windows,Linux,Shell accounts,SSH Tutorial for Windows">
		<link rel="shortcut icon" href="http://support.suso.com/favicon.ico">
		<link rel="search" type="application/opensearchdescription+xml" href="http://support.suso.com/w/opensearch_desc.php" title="Support Documentation (en)">
		<link rel="alternate" type="application/rss+xml" title="Support Documentation RSS Feed" href="http://support.suso.com/w/index.php?title=Special:RecentChanges&amp;feed=rss">
		<link rel="alternate" type="application/atom+xml" title="Support Documentation Atom Feed" href="http://support.suso.com/w/index.php?title=Special:RecentChanges&amp;feed=atom">
<title>SSH Tutorial for Linux - Support Documentation</title>

<!--[if lt IE 7]><script src="/w/skins/suso2009/ie7/ie7-standard-p.js" type="text/javascript"></script><![endif]-->

<style type="text/css" media="screen, projection"> @import "/w/skins/suso2009/main.css"; </style>
<style type="text/css" media="screen, projection"> @import "/style.css"; </style>

<script type="text/javascript" src="SSH_Tutorial_for_Linux_files/index.php"></script><script type="text/javascript" src="SSH_Tutorial_for_Linux_files/wikibits.js"></script>

<style type="text/css"></style>

<script type="text/javascript" src="SSH_Tutorial_for_Linux_files/browser.js"></script>
<script type="text/javascript" src="SSH_Tutorial_for_Linux_files/fadomatic.js"></script>
<script type="text/javascript" src="SSH_Tutorial_for_Linux_files/functions.js"></script>
<!--[if lt IE 7]>
<script src="http://ie7-js.googlecode.com/svn/version/2.0(beta3)/IE7.js" type="text/javascript"></script>
<![endif]-->
<script type="text/javascript">
</script> 

</head><body>

<script type="text/javascript">
	if (is_win) {
		document.write("<style type='text/css' media='screen, projection'> @import '/w/skins/suso2009/main.win.css';</style>");
	}
</script>

<style type="text/css">
.editsection { display: none; visibility: hidden; }
</style>

  <table width="950" align="center" border="0" cellpadding="0" cellspacing="0">
  <tbody><tr>
      <td></td>
      <td class="top_bg" width="950">
      <table border="0" cellpadding="0" cellspacing="0">
      <tbody><tr>
          <td width="30%">
          <!--<A HREF="/supki/Main_Page"><IMG SRC="/images/susologo-2009silver-tightlock-60x60.png" ID="susologo" ALIGN="left" ALT="Suso Logo" BORDER="0"></A>-->
          <img src="SSH_Tutorial_for_Linux_files/susologo-2009oldbutbold-50px-trans.png" alt="Suso Logo" align="left">
          <span class="suso_title"><a href="http://www.suso.com/">suso</a><span class="title_trademark">™</span></span><br>
          <span class="slogan">Support Site</span>
          </td>
          <td valign="bottom" width="945" align="right">
          <table border="0">
          <tbody><tr>
              <td align="right">
              <nobr>
              <a href="http://www.suso.com/" class="toplinks">main site</a>&nbsp;&nbsp;&nbsp;&nbsp;
              <a href="http://webmail.suso.org/" class="toplinks">webmail</a>&nbsp;&nbsp;&nbsp;&nbsp;
              </nobr>
              </td>
          </tr>
          <tr>
              <td align="right"></td>
          </tr>
          </tbody></table>
          <!-- End of top right website nav -->
  
          <table border="0" cellspacing="0">
          <tbody><tr>
              <td>
              <div id="mainmenu"><ul id="submenu">
                  <li class="menu" id="menutop"><a href="http://support.suso.com/index.php">HOME</a></li>
                  <li class="menu" id="menutop"><a href="http://support.suso.com/supki/">DOCUMENTATION</a></li>
                  <li class="menu" id="menutop"><a href="http://support.suso.com/email_support.php">EMAIL SUPPORT</a></li>
                  <li class="menu" id="menutop"><a href="http://support.suso.com/forums/">USER FORUM</a></li>
              </ul>
              </div>
              </td>
          </tr>
          </tbody></table>
          <!-- End of top right support menu -->
          </td>
      </tr>
      </tbody></table> <!-- End of header table -->
      </td>
      <td></td>
  </tr>
  <!-- End of header -->
  <tr>
      <td class="side_left_bg" rowspan="2"> </td>
      <td class="middle_bg" width="950">


<!-- End of Suso made header -->

        <!-- Begin wiki body table. -->
        <table summary="" id="bodyTable" border="0" cellpadding="0" cellspacing="0">
        <tbody><tr valign="top">
            <td style="width: 850px;" id="middleDiv" valign="top">

            <div id="bodyDiv">

                <div id="topBackground">
                    <div id="siteTitle"><a href="http://support.suso.com/supki/Main_Page">Support Documentation</a></div>
                    <div id="loginText"><a href="http://support.suso.com/supki/Special:Userlogin">log in / create account</a></div>
                </div>

                <!-- This is the grey menu area -->
                <table id="menuTable" width="100%" border="0" cellpadding="0" cellspacing="0">
                <tbody><tr valign="center">
                    <td class="menuItem" onmouseover="showMenu('mainMenu', 'homeLink', 'left');" nowrap="nowrap"><a href="http://support.suso.com/supki/Main_Page" id="homeLink">wiki</a></td>
                    <td class="menuItem" nowrap="nowrap"></td>
                    <td nowrap="nowrap" width="55%"></td>
                    <!--
                    <td align="middle" nowrap>
                    Categories:
                     <A CLASS="topcategorylink" HREF="">E-mail</A> 
                     <A CLASS="topcategorylink" HREF="">Web Hosting</A> 
                     <A CLASS="topcategorylink" HREF="">Domains</A>
                     <A CLASS="topcategorylink" HREF="">VPS</A> 
                     <A CLASS="topcategorylink" HREF="">Shell Accounts</A> 
                     <A CLASS="topcategorylink" HREF="">Servers</A></td>
                     -->
                    <td nowrap="nowrap" width="45%"></td>
                    <td class="menuItem" nowrap="nowrap">search</td>
                    <td class="menuItem" nowrap="nowrap">
                    <form id="searchForm" name="searchForm" action="/supki/Special:Search">
                    <input id="searchField" name="search" autosave="wiki" results="20" accesskey="f" type="text">
                    <input name="fulltext" class="searchButton" id="mw-searchButton" value="Search Supki" type="submit">
                    </form>
                    </td>
                </tr>
                </tbody></table>
                <!-- End of the grey menu area -->


                <div id="mainMenu" style="display: none; visibility: hidden;">
                                        <div class="mainMenuItem"><a href="http://support.suso.com/supki/Special:Allpages">all pages</a></div>
                                        </div>

                    <div id="editMiniMenu" style="display: none; visibility: hidden;">
                    <div class="editMiniItem"><a href="http://support.suso.com/w/index.php?title=SSH_Tutorial_for_Linux&amp;action=history">changes</a></div>
                    <div class="editMiniItem"><a href="http://support.suso.com/supki/Special:RecentChangesLinked/SSH_Tutorial_for_Linux">related changes</a></div>
                    <div class="editMiniItem"><a href="http://support.suso.com/w/index.php?title=Talk:SSH_Tutorial_for_Linux&amp;action=edit&amp;redlink=1">discuss</a></div>
                                    </div> <!-- end of wiki menus -->

                <div id="pageHeader">

                    <div id="editMenu">
                                            </div>

                    <div id="pageTitle"><a href="http://support.suso.com/supki/SSH_Tutorial_for_Linux">SSH Tutorial for Linux</a></div>

                </div>

                <div id="bodyContent">
                <!-- start content -->
                <div id="emptyDiv"></div>
<p>This document covers the SSH client on the <a href="http://support.suso.com/supki/Linux" title="Linux">Linux</a> Operating System and other OSes that use OpenSSH. If you use <a href="http://support.suso.com/supki/Windows" title="Windows">Windows</a>, please read the document <a href="http://support.suso.com/supki/SSH_Tutorial_for_Windows" title="SSH Tutorial for Windows">SSH Tutorial for Windows</a>
 If you use Mac OS X or other Unix based system, you should already have
 OpenSSH installed and can use this document as a reference.
</p>
<p class="template-tipbox">This article is one of the top tutorials 
covering SSH on the Internet. It was originally written back in 1999 and
 was completely revised in 2006 to include new and more accurate 
information. As of October, 2008, it has been read by over 473,600 
people and consistently appears at the top of Google's search results 
for SSH Tutorial and Linux SSH.</p>
<table id="toc" class="toc" summary="Contents"><tbody><tr><td><div id="toctitle"><h2>Contents</h2> <span class="toctoggle">[<a href="javascript:toggleToc()" class="internal" id="togglelink">hide</a>]</span></div>
<ul>
<li class="toclevel-1"><a href="#What_Is_SSH.3F"><span class="tocnumber">1</span> <span class="toctext">What Is SSH?</span></a></li>
<li class="toclevel-1"><a href="#Getting_Started"><span class="tocnumber">2</span> <span class="toctext">Getting Started</span></a></li>
<li class="toclevel-1"><a href="#Generating_a_key"><span class="tocnumber">3</span> <span class="toctext">Generating a key</span></a>
<ul>
<li class="toclevel-2"><a href="#Installing_your_public_key_manually"><span class="tocnumber">3.1</span> <span class="toctext">Installing your public key manually</span></a></li>
<li class="toclevel-2"><a href="#Installing_your_public_key_automatically"><span class="tocnumber">3.2</span> <span class="toctext">Installing your public key automatically</span></a></li>
</ul>
</li>
<li class="toclevel-1"><a href="#Using_the_ssh-agent_program"><span class="tocnumber">4</span> <span class="toctext">Using the ssh-agent program</span></a></li>
<li class="toclevel-1"><a href="#X11_Session_Forwarding"><span class="tocnumber">5</span> <span class="toctext">X11 Session Forwarding</span></a></li>
<li class="toclevel-1"><a href="#TCP_Port_Forwarding"><span class="tocnumber">6</span> <span class="toctext">TCP Port Forwarding</span></a></li>
<li class="toclevel-1"><a href="#SOCKS5_proxying"><span class="tocnumber">7</span> <span class="toctext">SOCKS5 proxying</span></a></li>
<li class="toclevel-1"><a href="#Running_Commands_Over_SSH"><span class="tocnumber">8</span> <span class="toctext">Running Commands Over SSH</span></a></li>
<li class="toclevel-1"><a href="#Using_SCP"><span class="tocnumber">9</span> <span class="toctext">Using SCP</span></a></li>
<li class="toclevel-1"><a href="#Keeping_Your_SSH_Session_Alive"><span class="tocnumber">10</span> <span class="toctext">Keeping Your SSH Session Alive</span></a></li>
<li class="toclevel-1"><a href="#Ending_your_SSH_session"><span class="tocnumber">11</span> <span class="toctext">Ending your SSH session</span></a></li>
<li class="toclevel-1"><a href="#External_References"><span class="tocnumber">12</span> <span class="toctext">External References</span></a></li>
<li class="toclevel-1"><a href="#Credits"><span class="tocnumber">13</span> <span class="toctext">Credits</span></a></li>
</ul>
</td></tr></tbody></table><script type="text/javascript"> if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } </script>
<a name="What_Is_SSH.3F" id="What_Is_SSH.3F"></a><h2> <span class="mw-headline"> What Is SSH? </span></h2>
<p>There are a couple of ways that you can access a <a href="http://support.suso.com/supki/Shell_accounts" title="Shell accounts">shell</a>
 (command line) remotely on most Linux/Unix systems. One of the older 
ways is to use the telnet program, which is available on most network 
capable operating systems. Accessing a shell account through the telnet 
method though poses a danger in that everything that you send or receive
 over that telnet session is visible in plain text on your local 
network, and the local network of the machine you are connecting to. So 
anyone who can "sniff" the connection inbetween can see your username, 
password, email that you read, and commands that you run. For these 
reasons you need a more sophisticated program than telnet to connect to a
 remote host.
</p>
<div class="thumb tleft"><div class="thumbinner" style="width: 307px;"><a href="http://support.suso.com/supki/File:Telnet-Client-server-unencrypted.png" class="image" title="An unencrypted telnet session"><img alt="" src="SSH_Tutorial_for_Linux_files/Telnet-Client-server-unencrypted.png" class="thumbimage" height="209" width="305" border="0"></a>  <div class="thumbcaption"><div class="magnify"><a href="http://support.suso.com/supki/File:Telnet-Client-server-unencrypted.png" class="internal" title="Enlarge"><img src="SSH_Tutorial_for_Linux_files/magnify-clip.png" alt="" height="11" width="15"></a></div>An unencrypted telnet session</div></div></div>
<p>SSH, which is an acronym for Secure SHell, was designed and created 
to provide the best security when accessing another computer remotely. 
Not only does it encrypt the session, it also provides better 
authentication facilities, as well as features like secure file 
transfer, X session forwarding, port forwarding and more so that you can
 increase the security of other protocols. It can use different forms of
 encryption ranging anywhere from 512 bit on up to as high as 32768 bits
 and includes ciphers like AES (Advanced Encryption Scheme), Triple DES,
 Blowfish, CAST128 or Arcfour. Of course, the higher the bits, the 
longer it will take to generate and use keys as well as the longer it 
will take to pass data over the connection.
<br clear="ALL">
</p>
<div class="thumb tleft"><div class="thumbinner" style="width: 307px;"><a href="http://support.suso.com/supki/File:SSH-client-server-encrypted.png" class="image" title="An encrypted ssh session"><img alt="" src="SSH_Tutorial_for_Linux_files/SSH-client-server-encrypted.png" class="thumbimage" height="209" width="305" border="0"></a>  <div class="thumbcaption"><div class="magnify"><a href="http://support.suso.com/supki/File:SSH-client-server-encrypted.png" class="internal" title="Enlarge"><img src="SSH_Tutorial_for_Linux_files/magnify-clip.png" alt="" height="11" width="15"></a></div>An encrypted ssh session</div></div></div>
<p>These two diagrams on the left show how a telnet session can be 
viewed by anyone on the network by using a sniffing program like 
Ethereal (now called Wireshark) or Sniffit. It is really rather trivial 
to do this and so anyone on the network can steal your passwords and 
other information. The first diagram shows user jsmith logging in to a 
remote server through a telnet connection. He types his username jsmith 
and password C0lts06!, which are viewable by anyone who is using the 
same networks that he is using.
</p><p>The second diagram shows how the data in an encrypted connection 
like SSH is encrypted on the network and so cannot be read by anyone who
 doesn't have the session-negotiated keys, which is just a fancy way of 
saying the data is scrambled. The server still can read the information,
 but only after negotiating the encrypted session with the client.
<br clear="ALL">
</p>
<p class="template-tipbox">When I say scrambled, I don't mean like the 
old cable pay channels where you can still kinda see things and hear the
 sound, I mean really scrambled. Usually encryption means that the data 
has been changed to such a degree that unless you have the key, its 
really hard to crack the code with a computer. It will take on the order
 of years for commonly available computer hardware to crack the 
encrypted data. The premise being that by the time you could crack it, 
the data is worthless.</p>
<a name="Getting_Started" id="Getting_Started"></a><h2> <span class="mw-headline"> Getting Started </span></h2>
<p>This tutorial isn't going to cover how to install SSH, but will cover
 how to use it for a variety of tasks. Consult your Linux distribution's
 document for information on how to setup OpenSSH.
</p><p>Chances are that if you are using a version of Linux that was 
released after 2002, that you already have OpenSSH installed. The 
version of SSH that you will want to use on Linux is called OpenSSH. As 
of this writing (October 2009), the latest version available is 5.3, but
 you may encounter versions from 3.6 on up. If you are using anything 
lower than version 3.9, I'd strongly advise you to upgrade it.
</p>
<p class="template-tipbox">OpenSSH can be obtained from <a href="http://www.openssh.org/" class="external free" title="http://www.openssh.org/" rel="nofollow">http://www.openssh.org/</a></p>
<p>To really make ssh useful, you need a shell account on a remote machine, such as on a suso.org account.
</p><p>The first thing we'll do is simply connect to a remote machine. 
This is accomplished by running 'ssh hostname' on your local machine. 
The hostname that you supply as an argument is the hostname of the 
remote machine that you want to connect to. By default ssh will assume 
that you want to authenticate as the same user you use on your local 
machine. To override this and use a different user, simply use 
remoteusername@hostname as the argument. Such as in this example: 
</p>
<p class="commandbox">ssh username@username.suso.org</p>
<p><br>
The first time around it will ask you if you wish to add the remote host to a list of known_hosts, go ahead and say yes.
</p>
<p class="shellterminalbox">The authenticity of host 'arvo.suso.org (216.9.132.134)' can't be established.
RSA key fingerprint is 53:b4:ad:c8:51:17:99:4b:c9:08:ac:c1:b6:05:71:9b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'arvo.suso.org' (RSA) to the list of known hosts.</p>
<p><br>
It is important to pay attention to this question however because this 
is one of SSH's major features. Host validation. To put it simply, ssh 
will check to make sure that you are connecting to the host that you 
think you are connecting to. That way if someone tries to trick you into
 logging into their machine instead so that they can sniff your SSH 
session, you will have some warning, like this:
</p>
<p class="shellterminalbox">@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for arvo.suso.org has changed,
and the key for the according IP address 216.9.137.122
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/suso/.ssh/known_hosts:10
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
96:92:62:15:90:ec:40:12:47:08:00:b8:f8:4b:df:5b.
Please contact your system administrator.
Add correct host key in /home/suso/.ssh/known_hosts to get rid of this message.
Offending key in /home/suso/.ssh/known_hosts:53
RSA host key for arvo.suso.org has changed and you have requested strict
checking.
Host key verification failed.</p>
<p>If you ever get a warning like this, you should stop and determine if
 there is a reason for the remote server's host key to change (such as 
if SSH was upgraded or the server itself was upgraded). If there is no 
good reason for the host key to change, then you should not try to 
connect to that machine until you have contacted its administrator about
 the situation. If this is your own machine that you are trying to 
connect to, you should do some computer forensics to determine if the 
machine was hacked (yes, linux can be hacked). Or maybe your home 
computer's IP address has changed such as if you have a dynamic IP 
address for DSL. One time I received this message when trying to connect
 to my home machine's DSL line. I thought it was odd since I hadn't 
upgraded SSH or anything on my home machine and so I choose not to try 
to override the cached key. It was a good thing that I didn't try 
because I found out that my dynamic IP address had changed and that out 
of chance, another Linux machine running OpenSSH took my old IP.
</p><p>After saying yes, it will prompt you for your password on the 
remote system. If the username that you specified exists and you type in
 the remote password for it correctly then the system should let you in.
 If it doesn't, try again and if it still fails, you might check with 
the administrator that you have an account on that machine and that your
 username and password is correct.
</p><p><br>
</p>
<a name="Generating_a_key" id="Generating_a_key"></a><h2> <span class="mw-headline"> Generating a key </span></h2>
<p>Now that you have spent all that time reading and are now connected, 
go ahead and logout.&nbsp;;-) Once you're back to your local computer's 
command prompt enter the command 'ssh-keygen -t dsa'.
</p>
<p class="commandbox">ssh-keygen -t dsa</p>
<p>It should begin spitting out the following:
</p>
<p class="shellterminalbox">Generating public/private dsa key pair.
Enter file in which to save the key (/home/localuser/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/localuser/.ssh/id_dsa.
Your public key has been saved in /home/localuser/.ssh/id_dsa.pub.
The key fingerprint is:
93:58:20:56:72:d7:bd:14:86:9f:42:aa:82:3d:f8:e5 localuser@mybox.home.com</p>
<p>It will prompt you for the location of the keyfile. Unless you have 
already created a keyfile in the default location, you can accept the 
default by pressing 'enter'.
</p><p>Next it will ask you for a passphrase and ask you to confirm it. 
The idea behind what you should use for a passphrase is different from 
that of a password. Ideally, you should choose something unique and 
unguessable, just like your password, but it should probably be 
something much longer, like a whole sentence. Here are some examples of 
passphrases I've used in the past:
</p>
<p class="template-example-text">The right thing changes from state to state</p>
<p class="template-example-text">the purpose of life is to give it purpose</p>
<p class="template-example-text">They're not going to guess this passphrase!</p>
<p class="template-example-text">The RIAA can just suck my big ass</p>
<p class="template-example-text">It is never a good day at Teletron</p>
<p>Some passphrases that I've used have had as many as 60 characters 
along with punctuation and numbers. This makes the passphrase harder to 
guess. To give you an idea of how much more secure a passphrase is than a
 password. Consider this. Even if you narrowed down the number of words 
someone could use in a passphrase to 2000 potential words, if that 
person used 5 words in a sentence from that 2000 word set, it would mean
 there are 32,000,000,000,000,000 different combinations. Compare this 
with 6,095,689,385,410,816, which is the total possible combinations in 
an 8 character password using upper and lower case characters, numbers 
and punctuation (about 94 potential characters).  So an 8 character 
password has 5.25 times <i>less</i> combinations than a 5 word 
passphrase. In actuality, most people choose words from a set of 10,000 
or more words, bringing the complexity of a 5 word passphrase to 16,405 
or more times greater than that of a 8 character password. So on 
average, the difficulty of cracking a passphrase is much greater than 
any password that could be used.  Interestingly, the potential number of
 combinations of 8 word passphrase of someone with an adult vocabulary 
(8000 words or more) is almost equal to the number of 8 character 
password combinations multiplied by itself or about 
16,777,216,000,000,000,000,000,000,000,000 combinations.
</p>
<p class="template-warningbox">Don't use any famous quotes or phrases 
for your passphrase, they may be easily guessed by another person or by a
 brute force cracking program.</p>
<p>The reason why you would generate a keyfile is so that you can 
increase the security of your SSH session by not using your system 
password. When you generate a key, you are actually generating two key 
files. One private key and one public key, which is different from the 
private key. The private key should always stay on your local computer 
and you should take care not to lose it or let it fall into the wrong 
hands. Your public key can be put on the machines you want to connect to
 in a file called .ssh/authorized_keys. The public key is safe to be 
viewed by anybody and mathematically cannot be used to derive the 
private key. Its just like if I gave you a number 38,147,918,357 and 
asked you to find the numbers and operations I used to generate that 
number. There are nearly infinate possibilities.
</p><p>Whenever you connect via ssh to a host that has your public key 
loaded in the authorized_keys file, it will use a challenge response 
type of authentication which uses your private key and public key to 
determine if you should be granted access to that computer It will ask 
you for your key passphrase though. But this is your local ssh process 
that is asking for your passphrase, not the ssh server on the remote 
side. It is asking to authenticate you according to data in your private
 key. Using key based authentication instead of system password 
authentication may not seem like much of a gain at first, but there are 
other benefits that will be explained later, such as logging in 
automatically from X windows.
</p><p><br>
</p>
<a name="Installing_your_public_key_manually" id="Installing_your_public_key_manually"></a><h3> <span class="mw-headline"> Installing your public key manually </span></h3>
<p>If you do not have the ssh-copy-id program available, then you must 
use this manual method for installing your ssh key on the remote host. 
Even if you do have the ssh-copy-id program, its good to do the manual 
installation at least once so that you have a good understanding of what
 is going on, because this is where a lot of people end up having 
problems.
</p><p>Go ahead and copy your public key which is in ~/.ssh/id_dsa.pub to the remote machine. 
</p>
<p class="commandbox">scp ~/.ssh/id_dsa.pub username@arvo.suso.org:.ssh/authorized_keys</p>
<p>It will ask you for your system password on the remote machine and 
after authenticating it will transfer the file. You may have to create 
the .ssh directory in your home directory on the remote machine first. 
By the way, scp is a file transfer program that uses ssh. We'll talk 
more about it later.
</p><p>Now when ssh to the remote machine, it should ask you for your 
key passphrase instead of your password. If it doesn't, it could be that
 the permissions and mode of the authorized_keys file and .ssh directory
 on the remote server need to be set more restrictively. You can do that
 with these commands on the remote server:
</p>
<p class="commandbox">chmod 700 ~/.ssh<br>
chmod 600 ~/.ssh/authorized_keys</p>
<p>You can also put the public key in the remote authorized_keys file by
 simply copying it into your paste buffer, logging into the remote 
machine and pasting it directly into the file from an editor like vi, 
emacs or nano. I would recommend using the 'cat' program to view the 
contents of the public key file though because using less will end up 
breaking the single line into multiple lines.
</p>
<p class="commandbox">cat ~/.ssh/id_dsa.pub</p>
<a name="Installing_your_public_key_automatically" id="Installing_your_public_key_automatically"></a><h3> <span class="mw-headline"> Installing your public key automatically </span></h3>
<p>A newer way that you can quite easily install your public ssh key on a remote host is with the ssh-copy-id program like this:
</p>
<p class="commandbox">ssh-copy-id yourusername@your.website.com</p>
<p>It will prompt you for your password on the remote host and take care
 of the rest. That was easy. So why didn't I just tell you how to use 
this program in the first place?  Well, in my experience, many of the 
problems people have with ssh revolve around trying to get their ssh 
public key installed correctly. Its a good thing that they've made a 
program to do the dirty work for you, but in the interest of building 
your skills, you should at least do the manual install once so that you 
know what is involved.
</p>
<a name="Using_the_ssh-agent_program" id="Using_the_ssh-agent_program"></a><h2> <span class="mw-headline"> Using the ssh-agent program </span></h2>
<p>The true usefulness of using key based authentication comes in the 
use of the ssh-agent program. Usually, the ssh-agent program is a 
program that starts up before starting X windows and in turn starts X 
windows for you. All X windows programs inherit a connection back to the
 ssh-agent, including your terminal windows like Gnome Terminal, aterm, 
xterm and so on. What this means is that after you've started up X 
windows through ssh-agent, you can use the ssh-add program to add your 
passphrase one time to the agent and the agent will in turn pass this 
authentication information automatically every time you need to use your
 passphrase. So the next time you run:
</p>
<p class="commandbox">ssh username@arvo.suso.org</p>
<p>you will be logged in automatically without having to enter a 
passphrase or password. Most recent distributions will automatically 
start ssh-agent when you login to X windows through a session manager 
like gdm (graphical login). I found that as of this writing the 
following distributions started ssh-agent by default.
</p>
<ul><li>Debian
</li><li>Fedora
</li><li>Gentoo
</li><li>SuSE 
</li><li>Ubuntu
</li></ul>
<p>Most distributions prior to about 2002 did not start it. 
</p><p>Don't worry if you don't see your distro listed in here. You can check if it is already running by running this command. 
</p>
<p class="commandbox">ps auxw</p>
<p>If there is an ssh-agent process listed there, then you can just 
start using it, otherwise, you should consult your distribution's 
documentation on OpenSSH and running the ssh-agent.
</p><p>Once you've verified that ssh-agent is running, you can add your ssh key to it by running the ssh-add command: 
</p>
<p class="commandbox">ssh-add</p>
<p>If the program finds the DSA key that you created above, it will 
prompt you for the passphrase. Once you have done so it should tell you 
that it has added your identity to the ssh-agent:
</p>
<p class="shellterminalbox">Identity added: /home/username/.ssh/id_dsa (/home/username/.ssh/id_dsa)</p>
<p>Now you can try logging into that remote machine again and this time 
you will notice that it just logs you right in without prompting you for
 any password or passphrase.
</p><p>To make adding your passphrase easier, you can add the ssh-add 
program to your desktop session startup programs and it will bring up a 
prompt in X windows to ask for your passphrase every time you login to 
your desktop. You should also have the gtk2-askpass program installed. 
Or x11-askpass. They are the real programs that actually prompt you for 
your password. ssh-add just runs them if its not being run in a 
terminal. Below is a screenshot of the Gnome Sessions Configuration 
dialog with ssh-add added to the startup programs.
</p>
<div class="thumb tleft"><div class="thumbinner" style="width: 459px;"><a href="http://support.suso.com/supki/File:Gnome-session-ssh-add.png" class="image" title="Gnome Session with ssh-add program set to run and prompt for your key's passphrase"><img alt="" src="SSH_Tutorial_for_Linux_files/Gnome-session-ssh-add.png" class="thumbimage" height="344" width="457" border="0"></a>  <div class="thumbcaption"><div class="magnify"><a href="http://support.suso.com/supki/File:Gnome-session-ssh-add.png" class="internal" title="Enlarge"><img src="SSH_Tutorial_for_Linux_files/magnify-clip.png" alt="" height="11" width="15"></a></div>Gnome Session with ssh-add program set to run and prompt for your key's passphrase</div></div></div>
<p><br clear="ALL">
</p><p><br>
</p>
<a name="X11_Session_Forwarding" id="X11_Session_Forwarding"></a><h2> <span class="mw-headline"> X11 Session Forwarding </span></h2>
<p>One lesser known feature of X windows is its network transparency. It
 was designed to be able to transmit window and bitmap information over a
 network connection. So essentially you can login to a remote desktop 
machine and run some X windows program like Gnumeric, Gimp or even 
Firefox and the program will run on the remote computer, but will 
display its graphical output on your local computer.
</p><p>To try this out, you will need an account on a remote computer 
that has X windows installed with some X windows applications. suso.org 
servers do not have any such programs so you will need to either login 
to one of your other workstations or another server that does have them.
 The key to making it work is using the -X option, which means "forward 
the X connection through the SSH connection". This is a form of 
tunneling. 
</p>
<p class="commandbox">ssh -X username@desktopmachine.domain.com</p>
<p>If this doesn't work, you may have to setup the SSH daemon on the 
remote computer to allow X11Forwarding, check that the following lines 
are set in /etc/ssh/sshd_config on that computer:
</p>
<p class="filedatabox">X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes</p>
<p>For some newer programs and newer versions of X windows, you may need
 to use the -Y option instead for trusted X11 forwarding. Try using this
 option if your X11 windows program fails to start running with a 
message like this one that was for Gimp:
</p>
<p class="shellterminalbox">The program 'gimp-2.2' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadWindow (invalid Window parameter)'.
(Details: serial 154 error_code 3 request_code 38 minor_code 0)
(Note to programmers: normally, X errors are reported asynchronously;
that is, you will receive the error a while after causing it.
To debug your program, run it with the --sync command line
option to change this behavior. You can then get a meaningful
backtrace from your debugger if you break on the gdk_x_error()
function.)</p>
<p><br>
</p>
<a name="TCP_Port_Forwarding" id="TCP_Port_Forwarding"></a><h2> <span class="mw-headline"> TCP Port Forwarding </span></h2>
<p>Like X11 session forwarding, SSH can also forward other TCP 
application level ports both forward and backwards across the SSH 
session that you establish.
</p><p>For example, you can setup a port forward for your connection 
from your home machine to arvo.suso.org so that it will take connections
 to localhost port 3306 and forward them to the remote side 
mysql.suso.org port 3306. Port 3306 is the port that the MySQL server 
listens on, so this would allow you to bypass the normal host checks 
that the MySQL server would make and allow you to run GUI MySQL programs
 on your local computer while using the database on your suso account. 
Here is the command to accomplish this: 
</p>
<p class="commandbox">ssh -L 3306:mysql.suso.org:3306 username@arvo.suso.org</p>
<p>The -L (which means Local port) takes one argument of
</p><p>&lt;local-port&gt;:&lt;connect-to-host&gt;:&lt;connect-to-port&gt;
</p><p>so you specify what host and port the connection will go to on 
the other side of the SSH connection. When you make a connection to the 
&lt;local-port&gt; port, it sends the data through the SSH connection 
and then connects to &lt;connect-to-host&gt;:&lt;connect-to-port&gt; on 
the other side. From the point of view of &lt;connect-to-host&gt;, its 
as if the connection came from the SSH server that you login to. In the 
case above, arvo.suso.org.
</p><p>This is much like a VPN connection allows you to act like you are making connections from the remote network that you VPN into.
</p><p>Take a moment to think of other useful connections you can make with this type of network tunnel.
</p><p>Another useful one is for when you are away from home and can't 
send mail through your home ISP's mail server because it only allows 
local connections to block spam. You can create an SSH tunnel to an SSH 
server that is local to your ISP and then have your GUI mail client like
 Thunderbird make a connection to localhost port 8025 to send the mail. 
Here is the command to create the tunnel:
</p>
<p class="commandbox">ssh -L 8025:smtp.homeisp.net:25 username@shell.homeisp.net</p>
<p>One thing to note is that non-root users do not normally have the 
ability to listen on network ports lower than 1024, so listening on port
 25 would not work, thus we use 8025. It really doesn't matter, you can 
use any port as long as your email client can connect to it.
</p><p>You can also reverse the direction and create a reverse port 
forward. This can be useful if you want to connect to a machine remotely
 to allow connections back in. For instance, I use this sometimes so 
that I can create a reverse port 22 (SSH) tunnel so that I can reconnect
 through SSH to a machine that is behind a firewall once I have gone 
away from that network. 
</p>
<p class="commandbox">ssh -R 8022:localhost:22 username@my.home.ip.address</p>
<p>This will connect to my home machine and start listening on port 8022
 there. Once I get home, I can then connect back to the machine I 
created the connection from using the following command:
</p>
<p class="commandbox">ssh -p 8022 username@localhost</p>
<p>Remember to use the right username for the machine that you started 
the tunnel from. It can get confusing. You also have to keep in mind 
that since you are connecting to the host called localhost, but its 
really a port going to a different SSH server, you may wind up with a 
different host key for localhost the next time you connect to localhost.
 In that case you would need to edit your .ssh/known_hosts file to 
remove the localhost line. You really should know more about SSH before 
doing this blindly.
</p><p>As a final exercise, you can keep your reverse port forward open all the time by starting the connection with this loop: 
</p>
<p class="commandbox">while true&nbsp;; do ssh -R 8022:localhost:22 suso@my.home.ip.address&nbsp;; sleep 60&nbsp;; done</p>
<p>This way, if you happen to reboot your home machine, the reverse 
tunnel will try to reconnect after 60 seconds. Provided you've setup 
keys and your ssh-agent on the remote machine.&nbsp;;-)
</p><p><br>
</p>
<a name="SOCKS5_proxying" id="SOCKS5_proxying"></a><h2> <span class="mw-headline"> SOCKS5 proxying </span></h2>
<p>So thats great and all, but eventually you are going to want to know 
how you can do tunneling without having to specify the address that you 
want to forward to.
</p><p>This is accomplished through the -D SOCKS5 option. 
</p>
<p class="commandbox">ssh -D 9999 username@remotehost.net</p>
<p>Any application that supports the SOCKS5 protocol (and most of the 
big network programs do) can forward its network connection over SSH and
 dynamically forward to any hostname that you specify. So for a web 
browser, any URL that you type in the URL field, would be sent through 
the SSH tunnel. Firefox, Xchat, Gaim and many others all support using 
SOCKS5. The setting is usually under preferences in the connection 
settings.
</p>
<p class="template-warningbox">Remember, in the words of Benjamin "Uncle
 Ben" Parker, with great power comes great responsibility. Just because 
you can get around firewalls and use other hosts for sending network 
traffic, doesn't mean that some system administrator isn't going to 
notice you.</p>
<p><br>
</p>
<a name="Running_Commands_Over_SSH" id="Running_Commands_Over_SSH"></a><h2> <span class="mw-headline">  Running Commands Over SSH </span></h2>
<p>Sometimes you don't really want to run a shell like Bash on the host 
you are connecting to. Maybe you just want to run a command and exit. 
This is very simply accomplished by putting the command you wish to run 
at the end of your ssh connection command.
</p>
<p class="commandbox">ssh username@remotehost.net ls -l /</p>
<p>This will probably generate output simular to the following.
</p>
<p class="shellterminalbox">total 220
drwxr-xr-x    2 root root    4096 Nov  9 04:08 bin
drwxr-xr-x    3 root root    4096 Nov 11 09:29 boot
drwxr-xr-x   23 root root  122880 Nov 14 02:36 dev
drwxr-xr-x   68 root root   12288 Jan 10 04:03 etc
drwxr-xr-x  189 root root    4096 Jan  9 00:40 home
drwxr-xr-x    2 root root    4096 Mar 12  2004 initrd
drwxr-xr-x    9 root root    4096 Nov  9 04:07 lib
drwx------    2 root root   16384 Sep 26  2004 lost+found
drwxr-xr-x    2 root root    4096 Apr 14  2004 misc
drwxr-xr-x    6 root root    4096 Nov 12 02:11 mnt
drwxr-xr-x    3 root root    4096 Oct 15 22:17 opt
dr-xr-xr-x  307 root root       0 Nov 14 02:36 proc
drwx------   44 root root    8192 Jan  9 16:23 root
drwxr-xr-x    2 root root    8192 Nov  9 04:08 sbin
drwxr-xr-x    2 root root    4096 Mar 12  2004 selinux
drwxr-xr-x    9 root root       0 Nov 14 02:36 sys
drwxrwxrwt   20 root root    4096 Jan 10 06:46 tmp
drwxr-xr-x   17 root root    4096 Dec  7  2004 usr
drwxr-xr-x   26 root root    4096 Jan 10  2005 var</p>
<p>Then you can process the output however you want using the normal shell conventions.
</p><p>You can also do something called forced-command where you force 
any login attempt to run a specific command regardless of what is 
specified on the command line by the client.
</p><p>To do this, you put this variable and the command you want to force in the authorized_keys file on the remote host:
</p>
<p class="filedatabox">command="/usr/bin/backup" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvna.....</p>
<p>Put the variable before the start of the line for the key. There are 
other variables you can use here like from="" to allow only from a 
specific host. These variables can be put together seperated by commas.
</p><p><br>
</p><p><br>
</p><p><br>
(This space is intentionally left blank)
</p><p><br>
</p><p><br>
</p><p><br>
</p>
<a name="Using_SCP" id="Using_SCP"></a><h2> <span class="mw-headline"> Using SCP </span></h2>
<p>SCP is basically a program that uses the SSH protocol to send files 
between hosts over and encrypted connection. You can transfer files from
 your local computer to a remote host or vice versa or even from a 
remote host to another remote host.
</p><p>Here is a basic command that copies a file called report.doc from
 the local computer to a file by the same name on the remote computer. 
</p>
<p class="commandbox">scp report.doc username@remote.host.net:</p>
<p>Note how the lack of a destination filename just preserves the 
original name of the file. This is also the case if the remote 
destionation includes the path to a directory on the remote host.
</p><p>To copy the file back from the server, you just reverse the from and to. 
</p>
<p class="commandbox">scp username@remote.host.net:report.doc report.doc</p>
<p>If you want to specify a new name for the file on the remote computer, simply give the name after the colon on the to side.
</p>
<p class="commandbox">scp report.doc username@remote.host.net:monday.doc</p>
<p>Or if you want to copy it to a directory relative to the home directory for the remote user specified.
</p>
<p class="commandbox">scp report.doc username@remote.host.net:reports/monday.doc</p>
<p>You can also use fullpaths which are preceeded with a /.
</p><p>To copy a whole directory recursively to a remote location, use 
the -r option. The following command copies a directory named mail to 
the home directory of the user on the remote computer.
</p>
<p class="commandbox">scp -r mail username@remote.host.net:</p>
<p>Sometimes you will want to preserve the timestamps of the files and 
directories and if possible, the users, groups and permissions. To do 
this, use the -p option.
</p>
<p class="commandbox">scp -rp mail username@remote.host.net:</p>
<p><br>
</p>
<a name="Keeping_Your_SSH_Session_Alive" id="Keeping_Your_SSH_Session_Alive"></a><h2> <span class="mw-headline"> Keeping Your SSH Session Alive </span></h2>
<p>Sometimes you may have trouble keeping your SSH session up and idle. 
For whatever reason, the connection just dies after X minutes of 
inactivity. Usually this happens because there is a firewall between you
 and the internet that is configured to only keep stateful connections 
in its memory for 15 or so minutes.
</p><p>Fortunately, in recent versions of OpenSSH, there is a fix for this problem. Simply put the following: 
</p>
<p class="filedatabox">Host *
Protocol 2
TCPKeepAlive yes
ServerAliveInterval 60</p>
<p>in the file
</p>
<div class="fileemphasize">~/.ssh/config</div>
<p>The file above can be used for any client side SSH configuration. See
 the ssh_config man page for more details. The 'TCPKeepAlive yes' 
directive tells the ssh client that it should send a little bit of data 
over the connection periodically to let the server know that it is still
 there. 'ServerAliveInterval 60' sets this time period for these 
messages to 60 seconds. This tricks many firewalls that would otherwise 
drop the connection, to keep your connection going.
</p><p><br>
</p>
<a name="Ending_your_SSH_session" id="Ending_your_SSH_session"></a><h2> <span class="mw-headline"> Ending your SSH session </span></h2>
<p>All good things come to an end. And there are many common ways to end your SSH session.
</p>
<p class="commandbox">exit</p>
<p class="commandbox">logout</p>
<p class="commandbox">(Ctrl-d)</p>
<p>The last one is actually the user pressing the 'Ctrl' key and the 
letter 'd' at the same time. These all are ways of terminating the SSH 
session from the server side. They usually exit the shell which in turn 
logs you off the machine.
</p><p>What you may not know, is that there is another way to close an 
SSH session. This is useful if you lose connectivity with the machine 
and you have no way of ending your shell session. For example, this 
happens momentarily if you stay logged into a machine while it is 
shutdown. SSH has its own command line escape sequences. These can be 
used to end connections, create new port forwards or list current ones 
and a few other functions. To end a connection even when you don't have a
 command prompt, type return twice (for good measure) and then the 
sequence '~.'. That's a tilde followed by a period. 
</p>
<p class="commandbox">(RETURN) (RETURN) ~.</p>
<p>This will terminate the SSH connection from the client end instead of the server end.
</p><p>Happy SSH'ing! 
</p><p><br>
</p>
<a name="External_References" id="External_References"></a><h2> <span class="mw-headline"> External References </span></h2>
<p>Here are some links where you can find more information about SSH
</p>
<ul><li><a href="http://www.bloomingtonlinux.org/wiki/15th_meeting" class="external text" title="http://www.bloomingtonlinux.org/wiki/15th_meeting" rel="nofollow">Mark's presentation notes from the January 2006 BLUG meeting</a>
</li><li><a href="http://www.openssh.org/" class="external text" title="http://www.openssh.org/" rel="nofollow">OpenSSH Website</a>
</li><li><a href="http://www.employees.org/%7Esatch/ssh/faq/" class="external text" title="http://www.employees.org/~satch/ssh/faq/" rel="nofollow">The SSH FAQ</a>
</li><li><a href="http://en.wikipedia.org/wiki/Secure_Shell" class="external text" title="http://en.wikipedia.org/wiki/Secure_Shell" rel="nofollow">Secure Shell article in Wikipedia</a>
</li><li><a href="http://www.suso.org/docs/shell/ssh.sdf" class="external text" title="http://www.suso.org/docs/shell/ssh.sdf" rel="nofollow">The old non-wiki version of this tutorial</a> (last modified 2007-08-04)
</li><li><a href="http://www.suso.org/docs/shell/ssh-19990221.sdf" class="external text" title="http://www.suso.org/docs/shell/ssh-19990221.sdf" rel="nofollow">The much older version of this tutorial</a> (1999-02-21)
</li><li><a href="http://www.digg.com/linux_unix/SSH_Tutorial_for_Linux" class="external text" title="http://www.digg.com/linux_unix/SSH_Tutorial_for_Linux" rel="nofollow">Linked to by digg.com front page</a> (2006-03-03) (823 diggs!) 
</li></ul>
<p><br>
</p>
<a name="Credits" id="Credits"></a><h2> <span class="mw-headline"> Credits </span></h2>
<ul><li> Original document, graphics and examples by Mark Krenz (mark@suso.org)
</li><li> Thank you to the following people for sending corrections:
<ul><li><b>Zake Stahl</b> (Several corrections)
</li><li><b>Christopher Mylonas</b> (noticing that MySQL should be 3306, not 3066)
</li><li><b>Tehiri Tehiri</b> (Suggesting a clarification in the username and password prompt section)
</li><li><b>Behrang Saeedzadeh</b> (Noticing contact typo)
</li><li><b>Pratik Mallya</b> (Suggesting I mention ssh-copy-id)
</li><li>Other people listed on the history page of this document.
</li></ul>
</li></ul>

<!-- 
NewPP limit report
Preprocessor node count: 296/1000000
Post-expand include size: 7590/2097152 bytes
Template argument size: 6234/2097152 bytes
Expensive parser function count: 0/100
-->

<!-- Saved in parser cache with key supkidb:pcache:idhash:57-0!1!0!!en!2!edit=0 and timestamp 20110519201027 -->
<div class="printfooter">
Retrieved from "<a href="http://support.suso.com/supki/SSH_Tutorial_for_Linux">http://support.suso.com/supki/SSH_Tutorial_for_Linux</a>"</div>
<div id="catlinks"><div id="catlinks" class="catlinks"><div id="mw-normal-catlinks"><a href="http://support.suso.com/supki/Special:Categories" title="Special:Categories">Category</a>: <span dir="ltr"><a href="http://support.suso.com/supki/Category:Shell" title="Category:Shell">Shell</a></span></div></div></div><div id="lastmod">
</div>
                <!-- end content -->
                </div>


            </div><!-- end #bodyDiv -->
            </td>
        </tr>
        </tbody></table>
        </td>
        <td class="side_right_bg" rowspan="2"> </td>
  </tr>
  <!-- End body -->
  <!-- Begin footer -->
  <tr>
 
      <td class="footer_style">
      <div id="ouraddress">
      © Copyright 2004-2009 Suso Technology Services, Inc. <br><br>
      101 W.Kirkwood Ave Ste 222<br>
      Bloomington, Indiana
      </div>
      <div id="poweredbylogo">
                                <a href="http://www.mediawiki.org/"><img src="SSH_Tutorial_for_Linux_files/poweredby_mediawiki_88x31.png" alt="Powered by MediaWiki"></a>              </div>
      </td>

  </tr>
</tbody></table>

		<script type="text/javascript">if (window.runOnloadHook) runOnloadHook();</script>
                                                                                     
<!-- Served in 0.637 secs. --><!--                              .   -->
<!--                 \     /     / \  -->
<!-- DIVISION BETWEEN \OLD/ AND /NEW\ -->
<!--                   \ /     /     \-->
<!--                    '             -->
</body></html>